Saturday, August 29, 2009

HowTo stunnel, Pt 2

In my example config, I specified:
syslog=yes
debug=7
output=/opt/stunnel/stunnel.log
First, the entry syslog=yes writes to the /var/log/secure, which renders stunnel.log to be redundant.

Second, the debug of 7 is more than we need for production. Under normal load, does not log anything, including a restart of the service. Debug 5 gets the starts and stops, but logs three lines per transaction. It's a thin line to tread, but looks like I'm going to use 5.

Next problem is the fact that, as presented, the server will accept connections from anyone. The client's PEM was unused. We need to tell the server force clients authenticate. We'll do this with key exchange. Add two lines to the server's config file:
CAfile=/etc/stunnel/server.ca
verify=2
We won't really have a CA, but it will be close enough. Copy the server.pem to server.ca, which we modify in a few minutes.

On the client:
echo "-----`hostname`-----" > `hostname -s`.crt
sed -ne '/BEGIN CERT/,/END CERT/p' \
    <server.pem   >>`hostname -s`.crt
Ship this off to the server.

On the server, we will add the CRT we just transferred from the client to the CA we created a few moments ago:
cat clientfile.crt   >> server.ca
Restart stunnel on both ends. Unless a client's CRT has been added to the server's CA, they can't get in.

No comments:

Post a Comment